The cybersecurity of election systems has long been a central focus of election officials and the federal government, starting with the passage of the Help America Vote Act in 2002 and, more recently, in 2017 with the designation of elections as a critical infrastructure subsector. Federal partners in the Cybersecurity and Infrastructure Security Agency, the U.S. Election Assistance Commission, and the National Institute of Standards and Technology are supporting the election community, including election officials and vendors, to improve cybersecurity. More recently, this focus has expanded to concerns about the supply chain of components that are integral to election system equipment. This concern for the cybersecurity of supply chains is found throughout industry as organizations strive to protect their equipment and customers from cyber threats.
In this Perspective, RAND Corporation researchers lay out the considerations for securing election system supply chains against cyber threats and how the federal government can partner with state and local officials and the vendor community to understand where risk lies in the supply chain. The Perspective discusses how existing tools and approaches can be adapted and used to facilitate cyber supply chain risk management. It should be of interest to federal, state, and local election officials who will manage their relationships with the manufacturers of election equipment; to manufacturers that will, in turn, manage their relationships with their suppliers; and to those developing tools for mapping supply chains and assessing supply chain risk.